What is Forensics?
Definition
“Gathering and analyzing data in a manner as free from distortion or bias as possible to reconstruct data or what happened in the past on a system or network.” -Venema & Farmer (1999)

Why windump/tcpdump?
Windows SMS includes Network Monitor which could be used. Winpcap/windump (or tcpdump and libpcap for Unix/Linux) are free The PCAP format is understood by many tools (especially on Unix/Linux). Ethereal (wireshark)

windump switches
-s <snaplen> how many bytes to capture, 1514 will include ethernet headers and full data -w <outfile> name of the file to save the output to (in pcap format) -i <interface> which interface to capture from (use -D to figure out which is the appropriate one) -n Don't do DNS name resolution “host x” or “tcp port 445” Berkeley packet filter language to limit scope of the capture

What to look for from the network?
Connections to many hosts, especially on the SMB ports 135-139 and 445. Large volumes of ICMP traffic IRC traffic Analysis techniques
Top talkers Odd port combinations Use ethereal (wireshark) to do protocol analysis

What to gather on the live system
Collect data from most volatile to least volatile Collect it in “forensically sound” manner
Minimal impact to system Don't store on the live system's disks (if you can help it) Automate it if you can (e.g., using WFT)

Eradication in practice
Boot to safe mode and run A/V software Search for and remove malicious registry entries Remove malware from the system Verify all passwords have been changed Sanitize disk (low-level format plus DOD erase), then reinstall OS Determine patch / service pack levels
Apply BEFORE reconnecting to the network

Lessons Learned
What additional instrumentation/protection should we add to all of our systems? What can we do to improve our perimeter? Does everyone really need to run as a local admin? “Prevention is ideal, but detection is a must”